cache-time through clear capture Commands

cache-time

To specify in minutes how long to allow a CRL to remain in the cache before considering it stale, use the cache-time command in ca-crl configuration mode. To return to the default value, use the no form of this command.

cache-time refresh-time

no cache-time

Syntax Description

refresh-time

Specifies the number of minutes to allow a CRL to remain in the cache. The range is 1 - 1440 minutes. If the NextUpdate field is not present in the CRL, the CRL is not cached.

Defaults

The default setting is 60 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca-crl configuration

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Examples

The following example enters ca-crl configuration mode, and specifies a cache time refresh value of 10 minutes for trustpoint central:

hostname(configure)# crypto ca trustpoint central

hostname(ca-trustpoint)# crl configure

hostname(ca-crl)# cache-time 10

hostname(ca-crl)#

Related Commands

Command

Description

crl configure

Enters crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.

enforcenextupdate

Specifies how to handle the NextUpdate CRL field in a certificate.

call-agent

To specify a group of call agents, use the call-agent command in mgcp map configuration mode, which is accessible by using the mgcp-map command. To remove the configuration, use the no form of this command.

call-agentip_addressgroup_id

no call-agentip_addressgroup_id

Syntax Description

ip_address

The IP address of the gateway.

group_id

The ID of the call agent group, from 0 to 2147483647.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

mgcp map configuration

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Usage Guidelines

Use the call-agent command to specify a group of call agents that can manage one or more gateways. The call agent group information is used to open connections for the call agents in the group (other than the one a gateway sends a command to) so that any of the call agents can send the response. Call agents with the same group_id belong to the same group. A call agent may belong to more than one group. The group_id option is a number from 0 to 4294967295. The ip_address option specifies the IP address of the call agent.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:

hostname(config)# mgcp-map mgcp_inbound

hostname(config-mgcp-map)# call-agent 10.10.11.5 101

hostname(config-mgcp-map)# call-agent 10.10.11.6 101

hostname(config-mgcp-map)# call-agent 10.10.11.7 102

hostname(config-mgcp-map)# call-agent 10.10.11.8 102

hostname(config-mgcp-map)# gateway 10.10.10.115 101

hostname(config-mgcp-map)# gateway 10.10.10.116 102

hostname(config-mgcp-map)# gateway 10.10.10.117 102

Related Commands

Commands

Description

debug mgcp

Enables the display of debug information for MGCP.

mgcp-map

Defines an MGCP map and enables mgcp map configuration mode.

show mgcp

Displays MGCP configuration and session information.

capture

To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command in privileged EXEC mode. To disable packet capture capabilities, use the no form of this command.

Note If the ACE attached to capture is changed, it is highly recommended to reconfigure capture to make the changes in the ACL effective for capture.

Syntax Description

access-list access_list_name

Captures traffic that matches an access list. In multiple context mode, this is only available within a context. This keyword is required except when you specify type asp-drop.

asp-drop [drop-code]

(Optional) Captures packets dropped by the accelerated security path. The drop-code specifies the type of traffic that is dropped by the accelerated security path. See the show asp drop frame command for a list of drop codes. If you do not enter the drop-code argument, then all dropped packets are captured.

You can enter this keyword with packet-length, circular-buffer, and buffer, but not with interface, access-list or ethernet.

bufferbuf_size

(Optional) Defines the buffer size used to store the packet in bytes. Once the byte buffer is full, packet capture stops.

capture_name

Specifies the name of the packet capture. Use the same name on multiple capture statements to capture multiple types of traffic. When you view the capture configuration using the show capture command, all options are combined on one line.

circular-buffer

(Optional) Overwrites the buffer, starting from the beginning, when the buffer is full.

ethernet-type type

(Optional) Selects an Ethernet type to capture. The default is IP packets.

interface interface_name

Sets the name of the interface on which to use packet capture. You must configure an interface for any packets to be captured. You can configure multiple interfaces using multiple capture commands with the same name. This keyword is required except when you specify type asp-drop.

isakmp

(Optional) Captures ISAKMP traffic. In multiple context mode, this is only available within a context.

packet-lengthbytes

(Optional) Sets the maximum number of bytes of each packet to store in the capture buffer.

raw-data

(Optional) Captures inbound and outbound packets on one or more interfaces. This setting is the default.

type

(Optional) Lets you specify the type of data captured.

Defaults

The defaults are as follows:

•The default type is raw-data.

•The default buffer size is 512 KB.

•The default Ethernet type is IP.

•The default packet-lengthis 68 bytes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

•

Command History

Release

Modification

1.1(1)

This command was introduced.

3.1(1)

Added the capability to capture all traffic, not just traffic that passes through the general-purpose processor.

Usage Guidelines

Capturing packets is useful when troubleshooting connectivity problems or monitoring suspicious activity. You can create multiple captures. To view the packet capture, use the show capturename command. To save the capture to a file, use the copy capture command.

The FWSM is capable of tracking all IP traffic that flows across it. It is also capable of capturing all the IP traffic that is destined to the FWSM, including all the management traffic (such as SSH and Telnet traffic) to the FWSM.

Enter the no capture command with the access-list and interface keywords to stop the capture without deleting the capture buffer. To stop the capture and delete the buffer, enter no capturename without additional keywords.

Note The capture command is not saved to the configuration, and the capture command is not copied to the standby unit during failover.

Examples

The following example shows that the traffic is captured from an outside host at 171.71.69.234 to an inside HTTP server:

On a web browser, the capture contents for a capture named "captest" can be viewed at the following location:

https://171.69.38.95/capture/captest/pcap

To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:

https://171.69.38.95/capture/http/pcap

Related Commands

Command

Description

clear capture

Clears the capture buffer.

copy capture

Copies a capture file to a server.

show capture

Displays the capture configuration when no options are specified.

cd

To change the current working directory to the one specified, use the cdcommand in privileged EXEC mode.

cd [flash:] [path]

Syntax Description

flash:

Specifies the internal Flash memory, followed by a colon.

path

(Optional) The absolute path of the directory to change to.

Defaults

If you do not specify a directory, the directory is changed to the root directory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

—

•

Command History

Release

Modification

2.2(1)

Support for this command was introduced.

Examples

This example shows how to change to the "config" directory:

hostname# cd flash:/config/

Related Commands

Command

Description

pwd

Displays the current working directory.

certificate

To add the indicated certificate, use the certificate command in crypto ca certificate chain configuration mode. When you use this command, the FWSM interprets the data included with it as the certificate in hexadecimal format. A quit string indicates the end of the certificate. To delete the certificate, use the no form of this command.

Syntax Description

Syntax DescriptionSyntax Description

Indicates that the certificate is a certificate authority issuing certificate.

certificate-serial-number

Specifies the serial number of the certificate in hexadecimal format ending with the word quit.

ra-encrypt

Indicates that the certificate is a registration authority key encipherment certificate used in SCEP.

ra-general

Indicates that the certificate is a registration authority certificate used for digital signing and key encipherment in SCEP messaging.

ra-sign

Indicates that the certificate is an registration authority digital signature certificate used in SCEP messaging.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Crypto ca certificate chain configuration

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Usage Guidelines

A certificate authority is an authority in a network that issues and manages security credentials and public key for message encryption. As part of a public key infrastructure, a CA checks with a registration authority to verify information provided by the requestor of a digital certificate. If the requestor information is verified by the RA, the CA can then issue a certificate.

Examples

The following example enters ca trustpoint mode for a trustpoint named central, then enters crypto ca certificate chain mode for central, and adds a CA certificate with a serial number 29573D5FF010FE25B45:

chain

To enable sending of a certificate chain, use the chain command in tunnel-group ipsec-attributes configuration mode. This action includes the root certificate and any subordinate CA certificates in the transmission. To return this command to the default, use the no form of this command.

chain

nochain

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting for this command is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Tunnel-group ipsec attributes configuration

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Usage Guidelines

You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-ipsec configuration mode, enables sending a chain for an IPSec LAN-to-LAN tunnel group with the IP address of 209.165.200.225, which includes the root certificate and any subordinate CA certificates:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L

hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes

hostname(config-ipsec)# chain

hostname(config-ipsec)#

Related Commands

Command

Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the indicated certificate map entry.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.

changeto

To change between security contexts and the system, use the changeto command in privileged EXEC mode.

changeto {system | context name}

Syntax Description

context name

Changes to the context with the specified name.

system

Changes to the system execution space.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

—

•

•

Command History

Release

Modification

2.2(1)

This command was introduced.

Usage Guidelines

If you log in to the system execution space or the admin context, you can change between contexts and perform configuration and monitoring tasks within each context. The "running" configuration that you edit in configuration mode, or that is used in the copy or write commands, depends on which execution space you are in. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context execution space, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration appears.

Examples

The following example changes between contexts and the system in privileged EXEC mode:

hostname/admin# changeto system

hostname# changeto context customerA

hostname/customerA#

The following example changes between the system and the admin context in interface configuration mode. When you change between execution spaces, and you are in a configuration mode, the mode changes to the global configuration mode in the new execution space.

hostname(config-if)# changeto context admin

hostname/admin(config)#

Related Commands

Command

Description

admin-context

Sets a context to be the admin context.

context

Creates a security context in the system configuration and enters context configuration mode.

show context

Shows a list of contexts (system execution space) or information about the current context.

checkheaps

To configure checkheaps verification intervals, use the checkheaps command in global configuration mode. To set the value to the default, use the no form of this command. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

checkheaps {check-interval | validate-checksum} seconds

no checkheaps {check-interval | validate-checksum} [seconds]

Syntax Description

check-interval

Sets the buffer verification interval. The buffer verification process checks the sanity of the heap (allocated and freed memory buffers). During each invocation of the process, the FWSM checks the entire heap, validating each memory buffer. If there is a discrepancy, the FWSM issues either an "allocated buffer error" or a "free buffer error." If there is an error, the FWSM dumps traceback information when possible and reloads.

validate-checksum

Sets the code space checksum validation interval. When the FWSM first boots up, the FWSM calculates a hash of the entire code. Later, during the periodic check, the FWSM generates a new hash and compares it to the original. If there is a mismatch, the FWSM issues a "text checksum checkheaps error." If there is an error, the FWSM dumps traceback information when possible and reloads.

seconds

Sets the interval in seconds between 1 and 2147483.

Defaults

The default intervals are 60 seconds each.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

•

•

•

—

•

Command History

Release

Modification

3.1(1)

Support for this command was introduced.

Examples

The following example sets the buffer allocation interval to 200 seconds and the code space checksum interval to 500 seconds:

hostname(config)# checkheaps check-interval 200

hostname(config)# checkheaps validate-checksum 500

Related Commands

Command

Description

show checkheaps

Shows checkheaps statistics.

class

To create a resource class to which to assign a security context, use the class command in global configuration mode. To remove a class, use the no form of this command.

class name

no class name

Syntax Description

name

Specifies the name as a string up to 20 characters long. To set the limits for the default class, enter default for the name.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

N/A

N/A

—

—

•

Command History

Release

Modification

2.2(1)

This command was introduced.

Usage Guidelines

By default, all security contexts have unlimited access to the resources of the FWSM, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context.

The FWSM manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class.

Note The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can limit bandwidth per VLAN. See the switch documentation for more information.

When you create a class, the FWSM does not set aside a portion of the resources for each context assigned to the class; rather, the FWSM sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can "use up" those resources, potentially affecting service to other contexts. See the limit-resource command to set the resources for the class.

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a 2 percent limit for all resources, the class uses no settings from the default class.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

•Telnet sessions—5 sessions.

•SSH sessions—5 sessions.

•IPSec sessions—5 sessions.

•MAC addresses—65,535 entries.

Examples

The following example sets the default class limit for conns to 10 percent instead of unlimited:

hostname(config)# class default

hostname(config-class)# limit-resource conns 10%

All other resources remain at unlimited.

To add a class called gold with all resources set to 5 percent, except for fixups, with a setting of 10 percent, enter the following commands:

hostname(config)# class gold

hostname(config-class)# limit-resource all 5%

hostname(config-class)# limit-resource fixups 10%

To add a class called silver with all resources set to 3 percent, except for system log messages, with a setting of 500 per second, enter the following commands:

hostname(config)# class silver

hostname(config-class)# limit-resource all 3%

hostname(config-class)# limit-resource rate syslogs 500

Related Commands

Command

Description

clear configure class

Clears the class configuration.

context

Configures a security context.

limit-resource

Sets the resource limit for a class.

member

Assigns a context to a resource class.

show class

Shows the contexts assigned to a class.

class (policy-map)

To assign a class map to a policy map where you can assign actions to the class map traffic, use the class command in policy-map configuration mode. To remove a class map from a policy map, use the no form of this command.

class classmap-name

no class classmap-name

Syntax Description

classmap-name

Specifies the name for the class map. For a Layer 3/4 policy map (the policy-map command), you must specify a Layer 3/4 class map name (the class-map command). For an inspection policy map (the policy-map type inspect command), you must specify an inspection class map name (the class-map type inspect command).

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Policy-map configuration

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Usage Guidelines

The configuration always includes a class map called "class-default" that matches all traffic. At the end of every Layer 3/4 policy map, the configuration includes the class-default class map with no actions defined. This is for internal use only, and cannot be modified.

Including the class-default class map, up to 63 class and match commands can be configured in a policy map.

After you add the class map to the policy map with the class command, you can define one or more actions to be performed on the traffic. Features supported in class configuration mode of a Layer 3/4 policy map include:

•Connection features

•Application inspection

Features supported in class configuration mode of an inspection policy map include:

•Dropping a packet

•Dropping a connection

•Resetting a connection

•Logging

•Masking content

Examples

The following is an example of a policy-map command for connection policy that includes the class command. It limits the number of connections allowed to the web server 10.1.1.1:

The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain:

hostname(config)# class-map telnet_traffic

hostname(config-cmap)# match port tcp eq 23

hostname(config)# class-map ftp_traffic

hostname(config-cmap)# match port tcp eq 21

hostname(config)# class-map tcp_traffic

hostname(config-cmap)# match port tcp range 1 65535

hostname(config)# class-map udp_traffic

hostname(config-cmap)# match port udp range 0 65535

hostname(config)# policy-map global_policy

hostname(config-pmap)# class telnet_traffic

hostname(config-pmap-c)# set connection timeout tcp 0:0:0

hostname(config-pmap-c)# set connection conn-max 100

hostname(config-pmap)# class ftp_traffic

hostname(config-pmap-c)# set connection timeout tcp 0:5:0

hostname(config-pmap-c)# set connection conn-max 50

hostname(config-pmap)# class tcp_traffic

hostname(config-pmap-c)# set connection timeout tcp 2:0:0

hostname(config-pmap-c)# set connection conn-max 2000

When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the FWSM does not make this match because they previously matched other classes.

Related Commands

Command

Description

class-map

Creates a Layer 3/4 class map.

class-map type management

Creates a Layer 3/4 class map for management traffic.

clear configure policy-map

Removes all policy-map configuration, except for any policy-map that is in use in a service-policy command.

match

Defines the traffic-matching parameters.

policy-map

Configures a policy; that is, an association of one or more traffic classes, each with one or more actions.

class-map

When using the Modular Policy Framework, identify Layer 3 or 4 traffic to which you want to apply actions by using the class-map command (without the type keyword) in global configuration mode. To delete a class map, use the no form of this command.

class-map class_map_name

no class-map class_map_name

Syntax Description

class_map_name

Specifies the class map name up to 40 characters in length. The names "class-default" and any name that begins with "_internal" or "_default" are reserved. All types of class maps use the same name space, so you cannot resuse a name already used by another type of class map.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Usage Guidelines

A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. The maximum number of class maps ( Layer 3/4, inspection, and regular expression) is 255 in single mode or per context in multiple mode. This limit includes default class maps.

The configuration includes many internally-created default class maps, including a default Layer 3/4 class map that the FWSM uses in the default global policy. It is called inspection_default and matches the default inspection traffic:

class-map inspection_default

match default-inspection-traffic

Another class map that exists in the default configuration is called class-default, and it matches all traffic:

class-map class-default

match any

This class map appears at the end of all Layer 3/4 policy maps and essentially tells the FWSM to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own match any class map.

Default class maps also include inspection class maps.

To view all default class maps, as well as any user-created class maps, enter the show running-config all class-map command.

Maximum Class Maps

The maximum number of class maps of all types is 255 in single mode or per context in multiple mode. Class maps include the following types:

•class-map

•class-map type inspect

•class-map type regex

•match commands used in policy-map type inspection mode

This limit also includes default class maps of all types.

Configuration Overview

Configuring Modular Policy Framework consists of four tasks:

1. Identify the Layer 3 and 4 traffic to which you want to apply actions using the class-map command.

3. Apply actions to the Layer 3 and 4 traffic using the policy-map command.

4. Activate the actions on an interface using the service-policy command.

Use the class-map command to enter class-map configuration mode. From class-map configuration mode, you can define the traffic to include in the class using the match command. A Layer 3/4 class map contains, at most, one match command that identifies the traffic included in the class map except if you have the match default-inspection-traffic command. In that case, you can specify a matchaccess-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.

Related Commands

Creates a policy map by associating the traffic class with one or more actions.

policy-map type inspect

Defines special actions for application inspection.

service-policy

Creates a security policy by associating the policy map with one or more interfaces.

show running-config class-map

Displays the information about the class map configuration.

class-map type inspect

When using the Modular Policy Framework, match criteria that is specific to an inspection application by using the class-map type inspect command in global configuration mode. To delete an inspection class map, use the no form of this command.

class-map type inspectapplication [match-all]class_map_name

no class-map [type inspectapplication [match-all]]class_map_name

Syntax Description

application

Specifies the type of application traffic you want to match. Available types include:

•http

•sip

class_map_name

Specifies the class map name up to 40 characters in length. The names "class-default" and any name that begins with "_internal" or "_default" are reserved. All types of class maps use the same name space, so you cannot resuse a name already used by another type of class map.

match-all

(Optional) Specifies that traffic must match all criteria to match the class map. match-all is the default and only option.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

•

•

•

•

—

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map (see the policy-map type inspect command).

In the inspection policy map, you can identify the traffic you want to act upon by creating an inspection class map. The class map contains one or more match commands. (You can alternatively use match commands directly in the inspection policy map if you want to pair a single criterion with an action). You can match criteria that is specific to an application. For example, for HTTP traffic, you can match text in a URL.

The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you group multiple match commands, and you can reuse class maps. For the traffic that you identify in this class map, you can specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map.

The maximum number of class maps of all types is 255 in single mode or per context in multiple mode. Class maps include the following types:

•class-map

•class-map type inspect

•class-map type regex

•match commands used in policy-map type inspection mode

This limit also includes default class maps of all types. See the class-map command for more information.

Examples

The following example creates an HTTP class map that must match all criteria:

Related Commands

Creates a policy map by associating the traffic class with one or more actions.

policy-map type inspect

Defines special actions for application inspection.

service-policy

Creates a security policy by associating the policy map with one or more interfaces.

show running-config class-map

Displays the information about the class map configuration.

class-map type regex

When using the Modular Policy Framework, group regular expressions for use with matching text by using the class-map type regex command in global configuration mode. To delete a regular expression class map, use the no form of this command.

class-map type regexmatch-anyclass_map_name

no class-map [type regex match-any]class_map_name

Syntax Description

class_map_name

Specifies the class map name up to 40 characters in length. The names "class-default" and any name that begins with "_internal" or "_default" are reserved. All types of class maps use the same name space, so you cannot resuse a name already used by another type of class map.

match-any

Specifies that the traffic matches the class map if it matches only one of the regular expressions. match-any is the only option.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

•

•

•

•

—

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map (see the policy-map type inspect command).

In the inspection policy map, you can identify the traffic you want to act upon by creating an inspection class map containing one or more match commands or you can use match commands directly in the inspection policy map. Some match commands let you identify text in a packet using a regular expression; for example, you can match URL strings inside HTTP packets. You can group regular expressions in a regular expression class map.

Before you create a regular expression class map, create the regular expressions using the regex command. Then, identify the named regular expressions in class-map configuration mode using the match regex command.

The maximum number of class maps of all types is 255 in single mode or per context in multiple mode. Class maps include the following types:

•class-map

•class-map type inspect

•class-map type regex

•match commands used in policy-map type inspection mode

This limit also includes default class maps of all types. See the class-map command for more information.

Examples

The following example creates two regular expressions, and adds them to a regular expression class map. Traffic matches the class map if it includes the string "example.com" or "example2.com."

Syntax Description

Specifies a specific username for which the failed-attempts counter is reset to 0.

username

Indicates that the following parameter is a username, for which the failed-attempts counter is reset to 0.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

3.1(1)

This command was introduced.

Usage Guidelines

Use this command when a user fails authentication a few times, but you want to reset to counter to zero, for example, when the configuration has recently been modified.

After the configured number of failed authentication attempts, the user is locked out of the system and cannot successfully log in until either a system administrator unlocks the username or the system reboots.

The number of failed attempts resets to zero and the lockout status resets to No when the user successfully authenticates or when the FWSM reboots.

Locking or unlocking a username results in a syslog message.

A system administrator with a privilege level of 15 cannot be locked out.

Examples

The following example shows use of the clear aaa local user authentication fail-attempts command to reset the failed-attempts counter to 0 for the username anyuser: